Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 12th February 2007, 23:49   #181  |  Link
Electrox3d
Registered User
 
Join Date: Feb 2003
Posts: 41
Quote:
Originally Posted by arnezami View Post
I need 16 bytes (not 6 bytes) after the 00 22 00 00. So 10 more .
Here's the full string, making it 16 bytes including the 00 22 00 00:
00000000: 00 22 00 00 7f 58 3c b4 6c 30 99 e5 c8 99 44 08

Is this it? It seems the 00 22 00 00 shouldn't be part of the 16 bytes... after 99 44 08 there's a period, then it starts a new line with "0000010: xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx"
__________________
___

Last edited by Electrox3d; 12th February 2007 at 23:52.
Electrox3d is offline   Reply With Quote
Old 12th February 2007, 23:58   #182  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Electrox3d View Post
Here's the full string, making it 16 bytes:
00000000: 00 22 00 00 7f 58 3c b4 6c 30 99 e5 c8 99 44 08

Is this it?
Sorry no still 4 bytes short.

What is the title of the movie? For full confirmation I probably also need the encrypted title key in the CPS unit key file. I'll try to find out where you can find that.
arnezami is offline   Reply With Quote
Old 12th February 2007, 23:58   #183  |  Link
Electrox3d
Registered User
 
Join Date: Feb 2003
Posts: 41
Quote:
Originally Posted by arnezami View Post
Yes thats it . Perfect.

What is the title of the movie? For full confirmation I probaly also need something the encrypted CPS unit key. I'll try to find out where you can find that.
Talladega Nights The Ballad of Ricky Bobby (the edition that comes with ps3, not the uncut retail edition)

Ok, in addition, I found that the three lines in the hex editor equal up to 32 characters total (minus the 00 22 00 00) and this is probably the VolumeID and MAC, wouldn't you think?
00000000: 00 22 00 00 7f 58 3c b4 6c 30 99 e5 c8 99 44 08
00000010: 07 f7 41 4b xx xx xx xx xx xx xx xx xx xx xx xx
00000020: xx xx xx xx

So VolumeID is probably: 7f 58 3c b4 6c 30 99 e5 c8 99 44 08 07 f7 41 4b
__________________
___
Electrox3d is offline   Reply With Quote
Old 13th February 2007, 00:07   #184  |  Link
xyz987
Registered User
 
Join Date: Dec 2006
Posts: 142
Quote:
Originally Posted by arnezami View Post
Don't forget AnyDVD do not need to extract the Volume ID. Which could mean 1 of 2 things: they have the Host private key or they are guessing the HD DVD Volume IDs.
No, there is another method. They can redirect through Internet the USB conection between HD-DVD device (at home of AnyDVD user) and an authorized HD-DVD host (WinDVD, PowerDVD, whatsoever) running on an AnyDVD developers server. They can sniff VolumeID that way.

And another method: a hacked device firmware can algo give you the VolumeID sans Host Private Key.
xyz987 is offline   Reply With Quote
Old 13th February 2007, 00:14   #185  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Electrox3d View Post
Talladega Nights The Ballad of Ricky Bobby (the edition that comes with ps3, not the uncut retail edition)

Ok, in addition, I found that the three lines in the hex editor equal up to 32 characters total (minus the 00 22 00 00) and this is probably the VolumeID and MAC, wouldn't you think?
00000000: 00 22 00 00 7f 58 3c b4 6c 30 99 e5 c8 99 44 08
00000010: 07 f7 41 4b xx xx xx xx xx xx xx xx xx xx xx xx
00000020: xx xx xx xx

So VolumeID is probably: 7f 58 3c b4 6c 30 99 e5 c8 99 44 08 07 f7 41 4b
Yes this is right.

This results in the following Volume Unique Key:

Code:
9A C3 7C 74 93 F6 BA 64 A7 AE E2 D4 E8 6C 0F 8C
Now if you have a memdump its probably in it. Otherwise we would have to use it to decrypt the encrypted CPS Unit Key (=Title Key for HD DVD).

PS. I have to go to sleep ....
arnezami is offline   Reply With Quote
Old 13th February 2007, 00:20   #186  |  Link
Electrox3d
Registered User
 
Join Date: Feb 2003
Posts: 41
Quote:
Originally Posted by arnezami View Post
Yes this is right.

This results in the following Volume Unique Key:

Code:
9A C3 7C 74 93 F6 BA 64 A7 AE E2 D4 E8 6C 0F 8C
Now if you have a memdump its probably in it. Otherwise we would have to use it to decrypt the encrypted CPS Unit Key (=Title Key for HD DVD).

PS. I have to go to sleep ....
Tell me how to get a memdump. (aww... sleep?? where do u live??, its mid-day here)
__________________
___
Electrox3d is offline   Reply With Quote
Old 13th February 2007, 00:28   #187  |  Link
xyz987
Registered User
 
Join Date: Dec 2006
Posts: 142
Quote:
Originally Posted by arnezami View Post
Now if you have a memdump its probably in it. Otherwise we would have to use it to decrypt the encrypted CPS Unit Key (=Title Key for HD DVD).
CPS Unit Key of Talladega Nights (US PS3 version) is a previously published key. It was published at Janvitos thread. Here is the key:

243302819492872FB60BF20BCCE28531

Last edited by xyz987; 13th February 2007 at 00:42. Reason: stupid error
xyz987 is offline   Reply With Quote
Old 13th February 2007, 00:36   #188  |  Link
guile
Registered User
 
Join Date: Oct 2002
Posts: 65
WOW!! A LOT has happened in a few days. Excellent work here. Please approve Edvberg's file, I would like to play with it.
guile is offline   Reply With Quote
Old 13th February 2007, 00:49   #189  |  Link
HyperHacker
Resident DRM Hater
 
HyperHacker's Avatar
 
Join Date: Oct 2006
Location: International waters
Posts: 242
Quote:
Originally Posted by arnezami View Post
General question: does anybody have an (old) PowerDVD version that doesn't support HD/BD playback? Does it also have *.fcl files?
Do you still need this? I have PowerDVD 6 "2CH" that came with a DVD burner I bought recently. I see no mention of Blu-ray or HD-DVD on the disc; I've never actually used it (just now, to check the version, was the first time I ever even took it out of the sleeve) since VLC does the job nicely. (It wasn't an HD-DVD or Blu-ray drive, though, so I highly doubt they included software that could play those. )
__________________
Because Moogles pwn.
HyperHacker is offline   Reply With Quote
Old 13th February 2007, 04:18   #190  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Electrox3d View Post
Tell me how to get a memdump. (aww... sleep?? where do u live??, its mid-day here)
I'm sort of awake again . My biological clock is totally screwed.

Anyway.

Here is an easier check (I did the reverse by doing some encrypting). If all is correct (no typos, no mistakes, exact same movie, no bus encryption etc) this should be the encrypted CPS Unit Key:

Code:
81 9C CC E5 F7 FC F2 C8 F3 0F D5 59 F0 DD CA 0E
To check if this is correct you can open your Unit_Key_RO.inf file with winhex and hex search for 819CCCE5 and if found you can check if all 16 bytes are the same. If they are then we know the sniffed Volume ID is working for Blu-Ray aswell... (that would be great news)

Btw: anybody with this movie (Talladega Nights - US PS3 version) can check this: the unit key file is on the disc.

Last edited by arnezami; 13th February 2007 at 04:25.
arnezami is offline   Reply With Quote
Old 13th February 2007, 06:34   #191  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by evdberg View Post
And a small PC prog to play around with it ... (had to convert it from my Mac test version)

Usage: mkb <mkb_file> [volume_id]
I can confirm it works correctly. Well done .

Thanks. That also saves me quite some time.

Regards,

arnezami

Last edited by arnezami; 13th February 2007 at 08:32.
arnezami is offline   Reply With Quote
Old 13th February 2007, 06:48   #192  |  Link
blutach
Country Member
 
blutach's Avatar
 
Join Date: Sep 2004
Location: is everything!
Posts: 6,499
For people suggesting AnyDVD do things:

1. We are not Slysoft's forum, although I know they read us.

2. I fervently hope that the work done freely and with such fervour, intellect and imagination by our members will not simply result in a commercial product being launched that takes advantage of all your good work. I truly hope that the work done here can merge into a user friendly freeware product to enable the soon to be many HD-DVD/BR users to backup their material.

Regards
__________________
Les

Only use genuine Verbatim or Taiyo Yuden media.
blutach is offline   Reply With Quote
Old 13th February 2007, 08:48   #193  |  Link
xyz987
Registered User
 
Join Date: Dec 2006
Posts: 142
Quote:
Originally Posted by blutach View Post
[color=blue]For people suggesting AnyDVD do things:
I was just making a joke :-)

In fact I am a Linux user and a free software zealot, so I am not interested on AnyDVD :-)
xyz987 is offline   Reply With Quote
Old 13th February 2007, 08:54   #194  |  Link
He-Man
Guest
 
Posts: n/a
Quote:
Originally Posted by Electrox3d View Post
Tell me how to get a memdump. (aww... sleep?? where do u live??, its mid-day here)
You don't actually need a memdump to get the Blu-ray Volume Unique Key and CPS Unit Key, just use ape's Blu-ray Key Finder while WindDVD is playing the Blu-ray disc:
http://forum.doom9.org/showthread.php?t=121021

ape has also made a similar HD DVD Voulme Unique Key Finder:
http://forum.doom9.org/showthread.php?t=120970
  Reply With Quote
Old 13th February 2007, 14:53   #195  |  Link
christopherw
Registered User
 
Join Date: Mar 2006
Posts: 24
Happy days Can't believe I only just heard about this!

Well done to all involved. Place your bets on when the movie industry'll finally take a hint
christopherw is offline   Reply With Quote
Old 13th February 2007, 16:47   #196  |  Link
FoxDisc
Registered User
 
Join Date: Jan 2007
Posts: 274
Quote:
Originally Posted by arnezami View Post
That basicly means that having a Volume ID (IDv) and a Media Key (Km) you can calculate the Volume Unique Key (Kvu).

Or to illustrate it (I removed the currently unused parts):



The red part is the hard part: getting the Media Key** (usually from a software player by debugging/memory snooping). But this only has to be done once per MKB and can be done by a pro.

The yellow part is what I described above: we either can (nearly) predict the Volume ID or we can get it via simple USB sniffing (the software player can't do much about that apart from bus encryption which is not implemented yet).

The blue part is the easiest: if we have the Volume ID (also called IDv) and the Media Key (Km) we can calculate the Volume Unique Key (Kvu) and then the Title Keys (Kt). This of course enables us to decrypt the content itself.

Hope that clarifies a bit.

Regards,

arnezami

** Later in this thread it became clear we need a Processing Key. But it amounts to basicly the same thing.
I would appreciate a summary/restatement/explanation of this. I've looked at some of the AACS source documents, but I still don't understand where the "processing key" fits into the picture. Specifically, it looked to me like the player stores a device key (in the player or player software) that was created from some master key in the secret possession of the AACS licensing authority. The device key is used to decrypt the MKB (on the disk) to get the media key (Km). The device key is subject to revocation by the AACSLA by changing the MKB on future disks such that the old revoked device key no longer works with the new MKB on the new disks to get a valid media key.

The media key is used with the volume ID (stored on the disk) to get the volume unique key (Kvu) After processing, this decrypted Kvu volume unique key is in the memory of WinDVD and can be grabbed by other tools developed here. It is specific to the disk. The volume unique key can be used to decrypt an encrypted title key (stored on the disk) to get the decrypted title key Kt which is now in memory of WinDVD and can also be grabbed by tools here when decrypted and being used in the memory.

If we had the device key, then the disk could be read directly to obtain the final decrypted title key without any of the memory reading. Memory reading to find title key/volume unique key is subject to attack by making it more difficult to find in memory simply by updating software players, without changing any issued device keys or MKBs. Knowledge of the device key makes it easy to write a decrypting program and is only subject to revocation using the MKB changing - device key revocation process, something the AACS LA may not be really anxious to do on a regular basis.

Where does the "processing key" of the title of this thread fit into this picture? Is it the same as the device key or am I missing an important piece of this puzzle and the decrypting process? Thanks for filling in any gaps/errors in my summary above.
FoxDisc is offline   Reply With Quote
Old 13th February 2007, 17:12   #197  |  Link
oddball
Registered User
 
Join Date: Jan 2002
Posts: 1,262
I predict by the time they start revoking (If ever) the whole thing will have been broken wide open. Well I hope so anyhow. Everything that can be made by man can also be broken with some enginuity. The first Quantum computer was recently announced. When those start appearing on desktops the encrytion used will become moot. But it will probably be cracked before then even looking at the speed it's moving right now.
oddball is offline   Reply With Quote
Old 13th February 2007, 17:40   #198  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
sorry offtopic..

on german news site HEISE is an article all about this *g.
mrazzido is offline   Reply With Quote
Old 13th February 2007, 17:46   #199  |  Link
FoxDisc
Registered User
 
Join Date: Jan 2007
Posts: 274
Quote:
Originally Posted by oddball View Post
I predict by the time they start revoking (If ever) the whole thing will have been broken wide open. Well I hope so anyhow. Everything that can be made by man can also be broken with some enginuity. The first Quantum computer was recently announced. When those start appearing on desktops the encrytion used will become moot. But it will probably be cracked before then even looking at the speed it's moving right now.
It may look like things are moving fast, but IMHO, nothing being done here comes anywhere near to breaking the cryptography that AACS relies on. Let's face it. The **AA has a near hopeless task. They have to let people watch movies, so no matter how much advanced cryptography they use, they have to give the users the keys to decrypt the data. The keys have to be inside the player, so the best they can do is make it hard to get those keys. That's what's being done here - people are finding the keys that they give us. I see no sign that anyone is breaking any encryption by figuring out keys they don't give us (the master key held by the AACS LA) or even calculating the keys they've already given us (device keys) as opposed to finding them in memory when being used.

Of course, no one needs to break the encryption - finding keys they give us is good enough. It's probably harder for the AACS LA to change device keys and MKBs than it is for others to find them.

Perhaps quantum computing will eventually allow the encryption to be broken, but until then, the AACS system still technically "works" and they can revoke device keys and force them to be found again. All they manage to do is piss off their customers when authorized equipment won't work and DRM free backups do. Eventually, they are bound to see the light.
FoxDisc is offline   Reply With Quote
Old 13th February 2007, 17:59   #200  |  Link
Electrox3d
Registered User
 
Join Date: Feb 2003
Posts: 41
Quote:
Originally Posted by arnezami View Post
I'm sort of awake again . My biological clock is totally screwed.

Anyway.

Here is an easier check (I did the reverse by doing some encrypting). If all is correct (no typos, no mistakes, exact same movie, no bus encryption etc) this should be the encrypted CPS Unit Key:

Code:
81 9C CC E5 F7 FC F2 C8 F3 0F D5 59 F0 DD CA 0E
To check if this is correct you can open your Unit_Key_RO.inf file with winhex and hex search for 819CCCE5 and if found you can check if all 16 bytes are the same. If they are then we know the sniffed Volume ID is working for Blu-Ray aswell... (that would be great news)

Btw: anybody with this movie (Talladega Nights - US PS3 version) can check this: the unit key file is on the disc.
Yup, I opened Unit_Key_RO.inf and found that CPS Unit Key.
Code:
81 9C CC E5 F7 FC F2 C8 F3 0F D5 59 F0 DD CA 0E
Awesome!
Attached Images
 
__________________
___

Last edited by Electrox3d; 13th February 2007 at 18:03.
Electrox3d is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 07:46.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.